110 



120 




FIG. 1 



110 



y 210 

APPLICATION BINARY 

y 220 

LIBRARIES 



y 230 

CONFIGURATION FILES 



240 



DATA FILES 



NEW 







► 


> 










> 


► 








PREPROCESSOR 






MODULE 


► 


► 




► 


> 







215 



-> MODIFIED BINARIES 

, 225 



235 



MODIFIED CONFIGURATION 
FILES 

245 



-> MODIFIED DATA FILES 



EXECUTION ENVIRONMENT 

INFORMATION 
DIRECTORY STRUCTURES 
SECURITY INFORMATION 



260 



SYSTEM INFORMATION 



FIG. 2 



NORMAL EXECUTION 




310 



320 



SYSTEM 
INTERFACE 



340 



350 



SYSTEM 
DLL's 



330 



360 



RESOURCE 






ALLOCATION 


REGISTRY 


FILE 


AND 


SYSTEM 


DEALLOCATION 







370 



OTHER 
ENVIRONMENT 



380 



390 



NETWORK 



GRAPHICS 
INTERFACES 



OPERATING SYSTEM 



FIG. 3 



SECURE EXECUTION 



410 





y, 405 




PREPROCESSED 




APPLICATION 


APPLICATION 


< 


MANAGER 



415 



INTERCEPTED 
SYSTEM CALLS 



420 



425 



430 



435 



RESOURCE 






ALLOCATION 


VIRTUALIZED 


VIRTUALIZED 


AND 


REGISTRY 


FILE SYSTEM 


DEALLOCATION 







VIRTUALIZED SYSTEM INTERFACE 
(RESOURCES, FILES, DATA, NAMES 



440 



445 



VIRTUALIZED 

OTHER 
ENVIRONMENT 



VIRTUALIZED 
NETWORK 



320 

SYSTEM 
INTERFACE 



450 



VIRTUALIZED 

GRAPHICS 
INTERFACES 



340 



SYSTEM 
DLL's 



350 



330 



360 



I . RESOURCE 






; , ALLOCATION 


REGISTRY 


FILE 


\7s AND 


SYSTEM 


' ^DEALLOCATION 







370 



380 



OTHER 
ENVIRONMENT 



NETWORK 



390 



GRAPHICS 
INTERFACES 



FIG. 4 



BEGIN 



510 



COMPILE SOURCE 
CODE INTO OBJECT CODE 




520 



PREPROCESS APPLICATION PACKAGE FOR 
EXECUTION IN THE SECURE CLIENT 
ENVIRONMENT 



530 



APPLICATION MANAGER ON CLIENT RETRIEVES 
MODIFIED OBJECT CODE FROM SERVER 




540 



INITIALIZE APPLICATION PACKAGE 
AND PATCH LIBRARIES 




550 



VIRTUALIZE INTERCEPTED CALLS 
DURING EXECUTION 



560 



TRANSMIT RESULTS TO SERVER 



RETURN 



FIG. 5 



610 




MODIFY AND ADD ADDITIONAL 

EXECUTION 
ENVIRONMENT INFORMATION 

OF PACKAGE 



630 



ENCRYPT FILES 
OF APPLICATION PACKAGE 



640 



ENCRYPT FILENAMES 



650 



ENCRYPT FILENAMES IN IMPORT 
TABLE 



660 



ENCRYPT AND SIGN APPLICATION 
PACKAGE 



RETURN 



FIG. 6 



610 



BEGIN 



> 


/' 


SCAN FOR IMPROPER 
INSTRUCTIONS OR SEQUENCES 




r 



710 




REWRITE APPLICATION 

BINARY TO 
INTERCEPT IMPROPER 
SEQUENCES 



740 



REWRITE IMPORT TABLE OF 
BINARIES TO ADD INTERCEPTION 
MODULE 



760 



STORE MODIFIED 
APPLICATION BINARY 



RETURN 



FIG. 7 



BEGIN 



810 



ADD INTERCEPTION 
MODULE TO APPLICATION 
PACKAGE 



820 



ADD SECURITY 
INFORMATION TO 
APPLICATION PACKAGE 



830 



PROVIDE VIRTUAL 
ENVIRONMENTAL SETTINGS 
FOR SYSTEM DATABASE 



840 



PROVIDE VIRTUAL SYSTEM 

MODULES TO ALLOW 
APPLICATION PACKAGE TO 
EXECUTE ON NON-NATIVE 
PLATFORMS 



850 



REMOVE SELECTED FILES 
FROM APPLICATION 
PACKAGE 



860 



OBFUSCATE DIRECTORY 
STRUCTURE 



END 



FIG. 8 



BEGIN 



> 


y 910 


APPLICATION MANAGER REQUESTS 
OPERATING SYSTEM TO EXECUTE 
APPLICATION PACKAGE 




/ 920 



OPERATING SYSTEM LOADS ALL LIBRARIES 
IDENTIFIED BY IMPORT TABLES INTO MEMORY 



/ 930 



OPERATING SYSTEM EXECUTES 
INITIALIZATION ROUTINE OF DEFAULT 
SYSTEM LIBRARIES 


> 


/ 940 


OPERATING SYSTEM EXAMINES IMPORT 
TABLE AND EXECUTES INITIALIZATION 
ROUTINE OF THE INTERCEPT MODULE FIRST 


> 


/ 950 



PATCH LOADED LIBRARIES 



960 



MAKE ALL CODE PAGES EXECUTE ONLY AND 
REMOVE ALL EXECUTION PRIVILEGES FROM 
REMAINING PAGES 



970 



INITIALIZE VIRTUAL SYSTEM DATABASE 



980 



START VIRTUAL MACHINE COMMUNICATION 
THREAD 



990 



OPERATING SYSTEM EXECUTES 
INITIALIZATION ROUTINES OF OTHER 
LIBRARIES IN THE IMPORT TABLE 




FIG. 9 



950 



BEGIN 



1010 



CREATE AN AVAILABLE LIST OF 
ROUTINES BASED UPON ALL 

SYSTEM ROUTINES LISTED BY 
THE EXPORT TABLE OF THE 
LIBRARY BEING PROCESSED 



1020 



CREATE A SHUTDOWN LIST BY 
DELETING FROM AVAILABLE LIST 
ALL SYSTEM ROUTINES 
MAINTAINED BY INTERCEPT 
MODULE 



1030 



INTERCEPT ROUTINES IN 
SHUTDOWN LIST SO THAT THEY 
INVOKE AN ERROR HANDLING 
ROUTINE 




1040 



INTERCEPT ALL ROUTINES 
IDENTIFIED BY VIRTUAL LIST 



1050 



ROUTINES IN MEDIATED LIST ARE 
NOT MODIFIED 



RETURN 



FIG. 10 



BEGIN 



1110 



RETRIEVE START ADDRESS OF 
ROUTINE TO BE INTERCEPTED 



1120 



RETRIEVE START ADDRESS OF 
THE WRAPPER ROUTINE 



1130 



CREATE A DYNAMIC VERSION OF 
THE INTERCEPTED ROUTINE 



1140 



SET PAGE ATTRIBUTES OF 
DYNAMICALLY CREATED CODE TO 
EXECUTE ONLY 



1150 



REPLACE ORIGINAL ROUTINE 
WITH NO-OPS ENDING WITH 
ERROR CODE 



1160 



CHANGE ENTRY POINT OF 
INTERCEPTED ROUTINE TO 
DIRECTLY POINT TO WRAPPER 
ROUTINE 



1170 



MODIFY VARIABLE USED BY 
WRAPPER ROUTINE TO POINT TO 
DYNAMICALLY CREATED ROUTINE 



RETURN 



FIG. 11 




1210 



1240 



SHOULD 
APPLICATION 
CREATE NEW 
DATABASE? 



1220 



Yes- 




CREATE VIRTUAL 
DATABASE 



1250 



COPY PREDEFINED 
LIST NON-CHANGED 
KEYS FROM SYSTEM 

DATABASE TO 
VIRTUAL DATABASE 



1260 



READ PREDEFINED 
LIST OF MASKED 
KEYS FROM REAL 

SYSTEM DATABASE 



Yes 



1270 



COMPLETELY OR PARTIALLY 
CHANGE DATA USING PREDEFINED 
DATA FOR DATABASE TABLE 
MAINTAINED BY INTERCEPT 
MODULES 



1280 



WRITE THE NEW 
CHANGED DATA TO 
VIRTUAL DATABASE 



RETURN 



FIG. 12 




1355 



1345 



1350 



FIG. 13 



BEGIN 



1405 



IDENTIFY TYPE OF 
FILE SYSTEM 
REQUEST 



1410 



OPEN 




1415 



READ OR 
WRITE 



1420 



MAP FILE TO 
MEMORY 



-Yes — > 




1480 




DO NOT 
MODIFY CALL 



-Yes- 




1482 



ENCRYPT 
FILENAME 



1450 



CREATE VIRTUAL AND 
ENCRYPTED FILENAME TO 
REDIRECT IT TO SANDBOX 



1425 



1430 



ROUTINES 
THAT RETURN 
A FILENAME 



UNMAP FILE 
FROM 
MEMORY 





Yes 



1455 



DOES 
DIRECTORY 
IN FILENAME EXIST 
JN VIRTUAL ROOT, 
TREE? 



1460 



CREATE 
DIRECTORIES IN 
VIRTUAL TREE 




1486 



Yes- 



REMOVE 
WRITE 
PRIVILEGES 
FROM OPEN 
COMMAND 



No 



1490 



CALL ORIGINAL 
OPEN AND RETURN 
HANDLE 



RETURN 



FIG. 14 



BEGIN 




IDENTIFY BLOCK IF EXCEPTION IS NOT 

CORRESPONDING TO HANDLED BY THE 

ADDRESS CAUSING APPLICATION, THEN NOTIFY 

EXCEPTION A VIRTUAL MACHINE THREAD 



DECRYPT BLOCK FROM 
REAL BUFFER COPYING IT 
TO THE VIRTUAL BUFFER 



1540 



MODIFY VIRTUAL MEMORY 
BLOCK PROTECTION FLAG 
TO BE ACCESSIBLE 



RETURN 



FIG. 15 




1620 



LOAD LIBRARY "NAME" INTO 
MEMORY IF NOT ALREADY 
LOADED 



1630 



HAS FILE BEEN 
MODIFIED? 



-Yes- 



CHECK FOR IMPROPER 
INSTRUCTION 
SEQUENCES 



No 



RECURSIVELY LOAD ALL 
LIBRARIES THAT SELECTED 
LIBRARY DEPENDS UPON IN 
ITS IMPORT TABLE LIST INTO 
MEMORY IF NOT ALREADY 
LOADED 



1650 



PATCH LOADED 
LIBRARIES 



MAKE CODE PAGES 
EXECUTE ONLY AND 
REMOVE ALL EXECUTION 

PRIVILEGES FROM 
REMAINING NEW PAGES 



EXECUTE DLL INITIALIZATION 
OF ALL LOADED LIBRARIES 




K 



1660 




1665 



1670 




FIG. 16 



BEGIN 





/ 1710 


CHECK FILE FOR IMPROPER 
INSTRUCTION SEQUENCES 


> 


/ 1720 
f / 


INTERCEPT IMPROPER 
SEQUENCES THAT WERE FOUND 




r 



1740 




Yes- 



VIRTUAL MEMORY SPACE 
ALLOCATED CONTAINING THOSE 

IMPROPER SEQUENCES NOT 
INTERCEPTED WILL BE SET SUCH 
THAT IT CANNOT BE EXECUTED 



FIG. 17 




FIG. 18 



ACCEPT 




INITIALIZE SOCKET STRUCTURE 
(LOCAL) WITH INPUT PARAMETERS 
TO ACCEPT 



REMOVE ENTRY FROM CONNECT 
QUEUE AND INITIALIZE OPTIONS 
AND REMOTE SOCKET STRUCTURE 
FROM ENTRY 



ENQUEUE MESSAGE FOR PROXY 
SENDING BACK LOCAL SOCKET 
STRUCTURE TO REMOTE PROXY 



RETURN 



FIG. 19 



SEND 




Yes 

JL 



2030 



WRITE BUFFER INTO SEND QUEUE 



2040 



NOTIFY PROXY 



RETURN 



FIG. 20 



SEND TO 



BEGIN 




UPDATE REMOTE SOCKET STRUCTURE IN 
SOCKET TABLE 



2150 



WRITE BUFFER INTO SEND QUEUE 



, 2160 



NOTIFY 
PROXY 



< 

RETURN 



FIG. 21 



RECEIVE 



2220 



RETURN 
ERROR 




COPY INTO BUFFER UP TO 
AMOUNT SPECIFIED TO 
RECEIVE 



2250 



REMOVE CONSUMABLE 
ENTRIES FROM RECEIVE 
QUEUE 



2255 



RETURN NUMBER OF BYTES 
COPIED 



END 



FIG. 22 



RECEIVE 
FROM 

BEGIN 




/ 2350 
V /_ 



REMOVE CONSUMABLE 
ENTRIES FROM RECEIVE 
QUEUE 



2355 



LOOKUP THE REMOTE 
ADDRESS AND UPDATE THE 
ARGUMENTS 



y 2360 
v / 



RETURN NUMBER OF BYTES 
COPIED 




FIG. 23 



CLOSE 




FIG. 24 




FIG. 25 



SELECT 



BEGIN 



2610 



WAIT FOR SPECIFIED DELAY TIME 
TO EXPIRE 



2620 



GIVEN LIST(S) OF SOCKETS, FIND 
ALL SOCKET MEETING A GIVEN 
CONDITION 



2630 



MODIFY SOCKET LIST BASED ON 
QUERY 



2640 



RETURN NUMBER OF SOCKETS 
THAT MEET CONDITION 



END 



FIG. 26 



SOCKET 



BEGIN 



2710 



CREATE NEW ENTRY IN 
SOCKET TABLE AND 
INITIALIZE ENTRY 



2720 



RETURN UNIQUE 
SOCKET ID 



END 



FIG. 27 



BIND 




FIG. 28 



CONNECT 




FIG. 29 



LISTEN 




FIG. 30 



QUERY 




FIG. 31 



UPDATE 




FIG. 32 




BEGIN 



3310 



REFUSE TO MAKE PAGE 

WITH EXECUTION 
PRIVILEGES READABLE 



3320 



REFUSE TO MAKE PAGE 

WITH EXECUTION 
PRIVILEGES WRITEABLE 




CHECK PAGE FOR 
IMPROPER 
INSTRUCTION 
SEQUENCES 



/ 3350 
v / 



INTERCEPT IMPROPER 
SEQUENCES FOUND 



REFUSE TO MAKE PAGES 
CONTAINING THESE 
REMAINING NOT 
INTERCEPTED IMPROPER 
SEQUENCES EXECUTABLE 




3370 



MAKE PAGES WITH NO IMPROPER 
SEQUENCES OR ONES WITH ALL 

IMPROPER SEQUENCES 
INTERCEPTED AS EXECUTABLE 



END 



FIG. 33 




BEGIN 



3405 



ROUTINES THAT 
DIRECTLY: 

SHOW WINDOW OR 

MAKE IT VISIBLE 

ACTIVATE 

DRAW 

DISPLAY 

CHANGE FOCUS 

PAINT, ETC. 



EpSABLE ASPECTS OF 

Routine that affect 
Visible aspect of 
Graphical user 
interface 



3415 



CREATE 
WINDOW OR 
NORMAL DIALOG 
BOX CREATION 



3420 



3430 



CREATE A 
MODAL 
DIALOG BOX 



SET STYLE OF 
WINDOW TO 
"HIDE" OR 
"INVISIBLE" 



3425 



CALL THE 
ORIGINAL 
CREATE 
ROUTINE 



3410 



SEND MESSAGES 
AND SET WINDOW 
PROPERTIES TO 
WINDOWS NOT IN 
APPLICATION 
PACKAGE ARE 
DISABLED 



I 



3450 



CALL A 
WINDOW 



MESSAGES 



3435 



DO NOT CREATE 
MODAL DIALOG BOX. 
INSTEAD RETURN A 
RESULT MOST 
LIKELY TO 
CONTINUE 
EXECUTION 



3440 



3455 




3460 



COMMUNICATE 
DIALOG MESSAGE 

TOVM 
COMMUNICATION 
THREAD 



3445 



BEFORE CALLING 
THE REAL 
OPERATING 
SYSTEM ROUTINE, 
REMOVE THE 
WINDOW STYLES 
THAT: 

SHOW IT 
MAKE IT VISIBLE 
ACTIVATE IT 
MAKE IT THE 
FOCUS 
ETC. 



RETURN 



FIG. 34 




Q 




3560 



UPDATE KEY 



FIG. 35 



OPEN KEY 



BEGIN 



3605 



LOOK IN VIRTUAL 
DATABASE FOR KEY 



3635 



OPEN KEY IN REAL 
DATABASE 



-Yes- 



3640 



LOOK UP KEY IN 
PREDEFINED RUN-TIME 
CHANGE LIST 




Yes 



3645 



INSERT FAKE KEY, VALUE, 
AND DATA IN VIRTUAL 
DATABASE 



CHANGE ALL VALUES IN 
PREDEFINED LIST 



3650 



WRITE KEY WITH ALL NEW 
AND UNCHANGED VALUES 
AND DATA TO VIRTUAL 
DATABASE 



3625 



ALLOCATE A HANDLE IN 
VIRTUAL DATABASE 



3630 



RETURN HANDLE 



RETURN 



FIG. 36 



CLOSE KEY 



BEGIN 




FIG. 37 



BEGIN 



3810 



QUERY SYSTEM USING FILE 
HANDLE TO GET FILENAME 




RETURN 



FIG. 38 



BEGIN 



3910 



IDENTIFY ENCRYPTED 
BLOCKS CONTAINING 
REQUESTED DATA 



3920 



READ ENCRYPTED 
BLOCKS FROM FILE 

SYSTEM INTO A 
TEMPORARY BUFFER 



3930 



DECRYPT CONTENTS OF 
TEMPORARY BUFFER 



3940 



COPY DECRYPTED 
ADDRESS RANGE INTO 
ORIGINAL BUFFER 



RETURN 



FIG. 39 



BEGIN 





y 4010 




DENTIFY ADDRESS RANGE 
TO BE WRITTEN TO 




V 


/ 4020 

/ 


READ ENCRYPTED BLOCKS CONTAINING 

CORRESPONDING ADDRESS RANGE 
FROM FILE SYSTEM INTO A TEMPORARY 
BUFFER 




> 


/ 4030 




DECRYPT CONTENTS OF 
TEMPORARY BUFFER 








, 4040 

r / 




COPY STORED BUFFER 
INTO TEMPORARY BUFFER 








/ 


4050 




ENCRYPT TEMPORARY 
BUFFER 








/ 


4060 




WRITE BUFFER TO DISK 











RETURN 



FIG. 40 



BEGIN 



4110 



LOAD AND MAP FILE INTO 
MEMORY 



4120 



HAS FILE BEEN 
MODIFIED? 



-Yes- 



4130 



CHECK FOR IMPROPER 
INSTRUCTION SEQUENCES 




IMP 



No 




4140 



Yes 



4150 



No 



RESERVE A REGION WITHOUT 
ALLOCATING PHYSICAL 
RESOURCES 



4160 



STORE IN MEMORY MAPPED 
TABLE A POINTER TO VIRTUAL 
BUFFER, POINTER TO REAL 
BUFFER, SIZE AND HANDLE 





/ 4170 
r / 


RETURN POINT 
ADDRESS 


ER TO VIRTUAL 
5 BUFFER 



4180 



RETURN 



RETURN POINTER TO 
REAL BUFFER 



FIG. 41 



ALTERNATE TO FIG.41) 



BEGIN 



4210 



LOAD AND MAP FILE 
INTO MEMORY 




4220 



No 



o 



Yes 

JL 



4230 



CREATE A VIRTUAL BUFFER 
CONTAINING DECRYPTED 
DATA FROM REAL BUFFER 



4250 



RETURN POINTER TO 
REAL BUFFER 



4240 



RETURN POINTER TO 
VIRTUAL BUFFER 



RETURN 



FIG. 42 




Real 



Virtual 



4320 



IDENTIFY WHICH PORTIONS 
OF BUFFER HAVE BEEN 
MODIFIED 



4330 



ENCRYPT IDENTIFIED 
PORTIONS OF MEMORY INTO 
REAL BUFFER 



4340 



CALL OPERATING SYSTEM 
WITH REAL BUFFER 



RETURN 



FIG. 43 



EXECUTE REQUESTED 
ROUTINE 



4420 



DECRYPT EACH OF THE 
RETURNED FILENAMES 



RETURN 



FIG. 44 



Yes 




4510 



IDENTIFY ENCRYPTED 
PORTIONS OF PATHNAME 
USING PREFIX AND 
POSTFIX SYMBOLS 



4520 



DECRYPT THE ENCRYPTED 
PART OF THE PATHNAME 



4530 



ENCRYPT THE FULL 
PATHNAME 



RETURN 



FIG. 45 



TRADITIONAL 
SYTEM LAYOUT 



EXE FILE 
APPDIR- DATA FILE 

^^^^ LIBRARY 
APP WORKSPACE 

SYSTEM FILES 
TMP 




FIG. 46 



VIRTUALIZED 
SYTEM LAYOUT 



SANDBOX 
LAYER 




EXE FILE 



DATA FILE 



LIBRARY 



APP WORKSPACE 



VIRTUAL ROOT 



SYSTEM FILE 



FIG. 47 



CO 
00 



00 
CM 
00 



3 

00 



00 



CONNECTION 
QUEUE 










RECEIVE 
QUEUE 










SEND 
QUEUE 










SOCKET 
OPTIONS 










SOCKET 
STATUS 










REMOTE 
SOCKET 
STRUCTURE 










"ENTRY" 
LOCAL SOCKET 
STRUCTURE 












CO 

3 

% 

CO 

h- 

LU 

o 
o 

CO 



CO 
LJJ 
CO 

Q CO 
— UJ 

UJ Q 
* UJ Q 

t , ^ h Q 5 

y O O H H 
Z O f£ 0- LU 

DC0Q.OZ 



o 

CO 
LU 
3 

o 



CD 

z ^ ° 
LU 2 O 
> < -J 
UJ U- CQ 



UJ 

q: 

H 
O 

0£ 
h- 
CO 

UJ 

o 
o 

CO 



o 
o 

00 




FIG. 49 



BEGIN 



5000 



PAUSE 



RESUME 



5005 



CHECKPOINT 



5040 



MAKE LIST OF 
ALL THREADS IN 
PROCESS 



5005 



CALL RESUME THREAD 
ON ALL THREADS IN 
SUSPEND LIST 



5030 



REMOVE FROM LIST 
VM THREADS 



5010 



REMOVE THREAD 
FROM SUSPEND LIST 
ONCE IT IS RESUMED 




Yes 



5035 



CALL CHECKPOINT 
ROUTINE IN 
APPLICATION 



5045 



SUSPEND ALL 
THREADS REMAINING 
IN THIS "SUSPEND" 
LIST 



5015 



STORE THE LIST OF 
SUSPENDED THREADS 



5020 



RETURN SUCCESS OR FAILURE 
EVENT TO APPLICATION MANAGER 



5025 



END 



FIG. 50 




BEGIN 




5100 



RESULT FILE 
COMPLETION 



5105 



SEND PROGRESS 
STATISTICS TO 
APPLICATION MANAGER 



5110 



SEND FINISHED RESULT 
FILENAME AND LOCATION 
TO APPLICATION MANAGER 



5115 



END 



FIG. 51 



